Lucene search

GitHub Advisory DatabaseGHSA-M8XW-9X5X-6VH3

HistoryDec 06, 2022 - 9:30 p.m.

py7zr directory traversal vulnerability

2022-12-0621:30:45

CWE-22

GitHub Advisory Database

github.com

python

library

vulnerability

directory traversal

sevenzipfile

crafting

7z file

arbitrary files

extracting

software

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.01

Percentile

84.0%

JSON

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.

Affected configurations

Vulners

Node

py7zr_projectpy7zrRange≤0.20.0python

VendorProductVersionCPE
py7zr_projectpy7zr*cpe:2.3:a:py7zr_project:py7zr:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
py7zr_project	py7zr	*	cpe:2.3:a:py7zr_project:py7zr::::::python::*

References

packetstormsecurity.com/files/170127/py7zr-0.20.0-Directory-Traversal.html

advisory-inbox.githubapp.com/advisory_reviews/GHSA-m8xw-9x5x-6vh3

github.com/advisories/GHSA-m8xw-9x5x-6vh3

github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406

lessonsec.com/cve/cve-2022-44900/

nvd.nist.gov/vuln/detail/CVE-2022-44900

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.01

Percentile

84.0%

JSON

Related for GHSA-M8XW-9X5X-6VH3